Tag Info

The question "why is preimage resistance needed for hash functions" is not really relevant. This is because collision resistance implies preimage resistance. Thus, it is just a fact that if you have collision resistance then you must have preimage resistance.
So, instead, I will relate to what preimage resistance is good for at all. In more technical ...

As far as we know, SHA512 acts like a random function. So, the only way we know to find a preimage whose hash starts with 0x12345678, is to go through distinct preimages, and hash each one until we find one that starts with 0x12345678.
If the output of SHA512 is equidistributed (and we have no reason to believe it isn't), then the probability of any hash ...

If we use $H_1(X) = H_0(X) \oplus firstnbits(X)$, this would seem to be trivial.
EDIT: As Cédric Van Rompay pointed out, this is only a counterexample if $H_1$ winds up being preimage-resistant. This may not be a necessary consequence of $H_0$ being preimage-resistant, but I really only need one case where it is.

When the output of the hash function is $n$ bits, then there are $2^n$ possible outputs.
For a preimage attack you are given a hash $h$ and you need to find a message $m$ where $h = H(m)$.
Since there are $2^n$ possible outputs, the probability of guessing an input that that maps to the given output is $\dfrac{1}{2^n}$. So on average you need to try $2^n$ ...

There are a lot of other uses for hash functions than signature algorithms.
For example, when used as a MAC – whether directly or in HMAC – a preimage attack would recover the key and allow forgery for arbitrary messages.
Even specifically in signature algorithms there's the Lamport signature which requires preimage resistance.

Consider this hash:
$$H(m) = m$$
Where we define it's domain to be messages of some arbitrary fixed-length.
It is completely second pre-image resistant.
It is not at all first pre-image resistant.
Therefore:
Second pre-image resistance does not imply first pre-image resistance.